3

I know that there are topics with this problem, but the config which I made is correct and I compared it to a project where it works correctly. I want to "unsecure" a /login endpoint for JWT security, but still the AuthenticationFilter runs before reaching the /login endpoint. I'm confused why it is no working.

My Code Below :

@Override
    protected void configure(HttpSecurity http) throws Exception {

        http
                .csrf().disable()

                .exceptionHandling().authenticationEntryPoint(unauthorizedHandler).and()

                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()

                .authorizeRequests()

                .antMatchers("/login").permitAll()
                .anyRequest().authenticated();

        http
                .addFilterBefore(authenticationTokenFilterBean(), UsernamePasswordAuthenticationFilter.class);

        http.headers().cacheControl();

    }
Gajanan Kulkarni
  • 697
  • 6
  • 22
Bart
  • 201
  • 1
  • 4
  • 13
  • Possible duplicate of [How to add a filter only for one special path WebSecurityConfigurerAdapter](https://stackoverflow.com/questions/45820372/how-to-add-a-filter-only-for-one-special-path-websecurityconfigureradapter) – jfneis Aug 23 '17 at 12:45

1 Answers1

0

Duplicate: How to add a filter only for one special path WebSecurityConfigurerAdapter

You can't do that with a single Configuration class. Take a look at this question: How to apply spring security filter only on secured endpoints?.

In this case, I think the better solution is to configure multiple HttpSecurity. From Spring IO documentation:

We can configure multiple HttpSecurity instances just as we can have multiple blocks. The key is to extend the WebSecurityConfigurationAdapter multiple times. For example, the following is an example of having a different configuration for URL’s that start with /api/.

The documentation has a full example with the necessary steps to accomplish this:

  1. Configure Authentication as normal
  2. Create an instance of WebSecurityConfigurerAdapter that contains @Order to specify which WebSecurityConfigurerAdapter should be considered first.
  3. The http.antMatcher states that this HttpSecurity will only be applicable to URLs that start with /api/
  4. Create another instance of WebSecurityConfigurerAdapter. If the URL does not start with /api/ this configuration will be used. This configuration is considered after ApiWebSecurityConfigurationAdapter since it has an @Order value after 1 (no @Order defaults to last).

Good luck!

jfneis
  • 2,139
  • 18
  • 31
  • So watch this example project and show me more than 1 configuration https://github.com/szerhusenBC/jwt-spring-security-demo/blob/master/src/main/java/org/zerhusen/config/WebSecurityConfig.java – Bart Aug 24 '17 at 05:11
  • @Bart in this example you have only one class extending WebSecurityConfigurerAdapter. You need 2 or more, as the Spring IO link that I linked shows. Did you try it? – jfneis Aug 24 '17 at 12:15